KEMBAR78
unit 5 in the database for master of Engineering | PPTX
Uploaded bypoonkodiraja2806
PPTX, PDF13 views

unit 5 in the database for master of Engineering

PG subject

Download to read offline
Discretionary Access Control Based on Granting and Revoking Privileges • The typical method of enforcing discretionary access control in a database system is based on the granting and revoking of privileges. Let us consider privileges in the context of a relational DBMS.
1. Types of Discretionary Privileges • The DBMS must provide selective access to each relation in the database based on specific accounts. Operations may also be controlled; thus, having an account does not necessarily entitle the account holder to all the functionality provided by the DBMS. Informally, there are two levels for assigning privileges to use the database system:
• The account level. At this level, the DBA specifies the particular privileges that each account holds independently of the relations in the database. • The relation (or table) level. At this level, the DBA can control the privilege to access each individual relation or view in the database. • References privilege on R. This gives the account the capability to reference (or refer to) a relation R when specifying integrity constraints. This privilege can also be restricted to specific attributes of R.
Specifying Privileges through the Use of Views • The mechanism of views is an important discretionary authorization mechanism in its own right. For example, if the owner A of a relation R wants another account B to be able to retrieve only some fields of R, then A can create a view V of R that includes only those attributes and then grant SELECT on V to B
Revoking of Privileges • n some cases it is desirable to grant a privilege to a user temporarily. For example, the owner of a relation may want to grant the SELECT privilege to a user for a specific task and then revoke that privilege once the task is completed. Hence, a mechanism for revoking privileges is needed
Propagation of Privileges Using the GRANT OPTION • Whenever the owner A of a relation R grants a privilege on R to another account B, the privilege can be given to B with or without the GRANT OPTION. If the GRANT OPTION is given, this means that B can also grant that privilege on R to other accounts.
Mandatory Access Control and Role-Based Access Control for Multilevel Security • The discretionary access control technique of granting and revoking privileges on relations has traditionally been the main security mechanism for relational database systems. This is an all-or-nothing method: A user either has or does not have a certain privilege.
• In many applications, an additional security policy is needed that classifies data and users based on security classes. This approach, known as mandatory access control (MAC), would typically be combined with the discretionary access control mechanisms
Comparing Discretionary Access Control and Mandatory Access Control • Discretionary access control (DAC) policies are characterized by a high degree of flexibility, which makes them suitable for a large variety of application domains. The main drawback of DAC models is their vulnerability to malicious attacks, such as Trojan horses embedded in application programs
• The reason is that discretionary authorization models do not impose any control on how information is propagated and used once it has been accessed by users authorized to do so.
SQL Injection • SQL injection is a code injection technique that might destroy your database. • SQL injection is one of the most common web hacking techniques. • SQL injection is the placement of malicious code in SQL statements, via web page input.
• SQL in Web Pages • SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.
• SQL Injection Based on 1=1 is Always True • Look at the example above again. The original purpose of the code was to create an SQL statement to select a user, with a given user id. • If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this: • UserId: • Then, the SQL statement will look like this: • SELECT * FROM Users WHERE UserId = 105 OR 1=1
• SQL Injection Based on ""="" is Always True • Here is an example of a user login on a web site: • Username: John Doe • Password: myPass • Example • uName = getRequestString("username"); uPass = getRequestString("userpassword"); sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"'
SQL Injection Based on Batched SQL Statements • Most databases support batched SQL statement. • A batch of SQL statements is a group of two or more SQL statements, separated by semicolons. • The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.
• Example SELECT * FROM Users; DROP TABLE Suppliers • Look at the following example: Example txtUserId = getRequestString("UserId"); txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId; • And the following input: – User id: 105; DROP TABLE Suppliers – The valid SQL statement would look like this: Result SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;
Statistical Database Security • Statistical databases typically contain parameter data and the measured data for these parameters. • There are different types of database security such as encryption, authentication, backup, application security and physical security which should implement in your business. • ...
• Statistical database security techniques must prohibit the retrieval of individual data. This can be achieved by prohibiting queries that retrieve attribute values and by allowing only queries that involve statistical aggregate functions such as COUNT, SUM, MIN, MAX, AVERAGE, and STANDARD DEVIATION. Such queries are sometimes called statistical queries.
Encryption and Public Key Infrastructures • Encryption is the conversion of data into a form, called a ciphertext, which cannot be easily understood by unauthorized persons. It enhances security and privacy when access controls are bypassed, because in cases of data loss or theft, encrypted data cannot be easily understood by unauthorized persons.
• With this background, we adhere to following standard definitions: • · Ciphertext: Encrypted (enciphered) data. • · Plaintext (or cleartext): Intelligible data that has meaning and can be read or acted upon without the application of decryption. • Encryption: The process of transforming plaintext into ciphertext. • • · Decryption: The process of transforming ciphertext back into plaintext.
• Encryption consists of applying an encryption algorithm to data using some prespecified encryption key. The resulting data has to be decrypted using a decryption key to recover the original data.
The Data Encryption and Advanced Encryption Standards • The Data Encryption Standard (DES) is a system developed by the U.S. government for use by the general public. • The DES algorithm is a careful and complex combination of two of the fundamental building blocks of encryption: substitution and permutation (transposition).
Survivability • Survivability of a system is the capability of a system to fulfill its mission in a timely manner in the presence of attacks, failures, or accidents. • Considering the vast growth in volume and speed of threats to databases and information assets, research efforts need to be devoted to the following issues: data quality, intellectual property rights, and database survivability. These are only some of the main challenges that researchers in database security are trying to address.
Database Survivability • Database systems need to operate and continue their functions, even with reduced capabilities, despite disruptive events such as information warfare attacks. A DBMS, in addition to making every effort to prevent an attack and detecting one in the event of occurrence, should be able to do the following:
• onfinement. Take immediate action to eliminate the attacker’s access to the system and to isolate or contain the problem to prevent further spread. • Damage assessment. Determine the extent of the problem, including failed functions and corrupted data. • Reconfiguration. Reconfigure to allow operation to continue in a degraded mode while recovery proceeds. • Repair. Recover corrupted or lost data and repair or reinstall failed system functions to reestablish a normal level of operation. • Fault treatment. To the extent possible, identify the weaknesses exploited in the attack and take steps to prevent a recurrence. •
• Oracle Label Security controls the display of individual table rows using labels that are assigned to individual table rows and application users. • Oracle Label Security is based on multi-level security (MLS) requirements that are found in government and defense organizations. You can easily restrict sensitive information to only authorized users. Oracle Label Security is based on Oracle Virtual Private Database (VPD). However, unlike VPD, Oracle Label Security provides the access mediation functions, data dictionary tables, and policy based architecture out of the box, eliminating customized coding and providing a consistent label based access control model that can be used by multiple applications. Oracle Label Security policies can be applied to one or more application tables. Oracle Label Security works by comparing the row label with a user's label authorizations. Oracle Label Security software is installed by default, but not automatically enabled.
Benefits of Oracle Label Security • Oracle Label Security provides several benefits for controlling row level management. • It enables row level data classification and provides out of the box access mediation based on the data classification and the user label authorization or security clearance. • It enables you to assign label authorizations or security clearances to both database users and application users. • It provides both a graphical user interface and APIs for defining and storing data classification labels and user label authorizations. • It integrates with Oracle Database Vault and Oracle Advanced Security Data Redaction, enabling security clearances to be use in both Database Vault command rules and Data Redaction policy definitions.
Components of Oracle Label Security • An Oracle Label Security policy has a standard set of components. • These components are as follows: • Labels. Labels for data and users, along with authorizations for users and program units, govern access to specified protected objects. Labels are composed of the following: • Levels. Levels indicate the type of sensitivity that you want to assign to the row, for example, SENSITIVE or HIGHLY SENSITIVE. • Compartments. (Optional) Data can have the same level (Public, Confidential and Secret), but can belong to different projects inside a company, for example ACME Merger and IT Security. Compartments represent the projects in this example, that help define more precise access controls. They are most often used in government environments. • Groups. (Optional) Groups identify organizations owning or accessing the data, for example, UK, US, Asia, Europe. Groups are used both in commercial and government environments, and frequently used in place of compartments due to their flexibility. • Policy. A policy is a name associated with these labels, rules, authorizations, and protected tables.

More Related Content

PPT
UNIT 1 DBMS Security made by me it hrlps you to makr your future bright.ppt
byAnuradhaGupta789099
 
PPTX
Database Security and Management Systems
byIsmaelKakaRealsoft
 
PPTX
Database Security, Threats & Countermeasures.pptx
bySaqibAhmedKhan4
 
PPTX
Presentation on Database Security in DBMS
byGaurav977214
 
PPTX
Database security and privacy
byMd. Ahasan Hasib
 
PPT
Security and Authorization introductory notes.ppt
bySubburamSivakumar1
 
PDF
Security Issues Surrounding Data Manipulation in a Relational Database
byDavid Murphy
 
PPT
Chapter23
bygourab87
 
UNIT 1 DBMS Security made by me it hrlps you to makr your future bright.ppt
byAnuradhaGupta789099
 
Database Security and Management Systems
byIsmaelKakaRealsoft
 
Database Security, Threats & Countermeasures.pptx
bySaqibAhmedKhan4
 
Presentation on Database Security in DBMS
byGaurav977214
 
Database security and privacy
byMd. Ahasan Hasib
 
Security and Authorization introductory notes.ppt
bySubburamSivakumar1
 
Security Issues Surrounding Data Manipulation in a Relational Database
byDavid Murphy
 
Chapter23
bygourab87
 

Similar to unit 5 in the database for master of Engineering

PPT
Lecture 7 Database security managent such as backup, replication.ppt
byAnnKingori
 
PPTX
Group 8 - Database Security Version 1.pptx
byHenryQuang1
 
PDF
Database security
bykeerthusandeepreddy
 
PPTX
database Security for data security .pptx
byKarimAhmed722436
 
PDF
computer security .pdf
byFarazTariq18
 
PPT
Database security copy
byfika sweety
 
PPTX
Database security
byArpana shree
 
PPT
UNIT-1-Security.ppt
byDharaDarji5
 
PPTX
Security of the database
byPratik Tamgadge
 
PDF
Data base Access Control a look at Fine grain Access method
byInternational Journal of Engineering Inventions www.ijeijournal.com
 
PPTX
01 database security ent-db
byuncleRhyme
 
PPT
8034.ppt
byssuser77162c
 
PPTX
Database Security Methods, DAC, MAC,View
byDr-Dipali Meher
 
PPTX
Database security and security in networks
byPrachi Gulihar
 
PPT
current-trends
byQuickoffice Test
 
PDF
Database security
bypusp220
 
PDF
uu (2).pdf
byuzairAsif268
 
PPTX
Database security
bySoftware Engineering
 
PDF
Chapter 6 Database Security and Authorization (4).pdf
byabrehamcheru14
 
PDF
databasesecurit-phpapp01.pdf
byAnSHiKa187943
 
Lecture 7 Database security managent such as backup, replication.ppt
byAnnKingori
 
Group 8 - Database Security Version 1.pptx
byHenryQuang1
 
Database security
bykeerthusandeepreddy
 
database Security for data security .pptx
byKarimAhmed722436
 
computer security .pdf
byFarazTariq18
 
Database security copy
byfika sweety
 
Database security
byArpana shree
 
UNIT-1-Security.ppt
byDharaDarji5
 
Security of the database
byPratik Tamgadge
 
Data base Access Control a look at Fine grain Access method
byInternational Journal of Engineering Inventions www.ijeijournal.com
 
01 database security ent-db
byuncleRhyme
 
8034.ppt
byssuser77162c
 
Database Security Methods, DAC, MAC,View
byDr-Dipali Meher
 
Database security and security in networks
byPrachi Gulihar
 
current-trends
byQuickoffice Test
 
Database security
bypusp220
 
uu (2).pdf
byuzairAsif268
 
Database security
bySoftware Engineering
 
Chapter 6 Database Security and Authorization (4).pdf
byabrehamcheru14
 
databasesecurit-phpapp01.pdf
byAnSHiKa187943
 

More from poonkodiraja2806

PPTX
UNIT 1-RELATIONAL DATA MODEL for data base subject
bypoonkodiraja2806
 
PPTX
UNIT II in the part of Database at the PG
bypoonkodiraja2806
 
PPTX
XML DATABASES in the Master of Engineering
bypoonkodiraja2806
 
PDF
Computer Network NFV Management and Orchestration.pdf
bypoonkodiraja2806
 
PPT
Principle of programming language -M.E-CSE
bypoonkodiraja2806
 
PDF
Virtual Local area Network and Virtual Private area Network
bypoonkodiraja2806
 
DOCX
Computer Network unit-5 -SDN and NFV topics
bypoonkodiraja2806
 
PPT
M.E - Computer Science and Engineering-Data structure B tree
bypoonkodiraja2806
 
PPT
M.E - Computer Science and Engineering-Data structure-bst-and-threaded
bypoonkodiraja2806
 
PPT
M.E - Computer Science and Engineering-Data structure avl-tree
bypoonkodiraja2806
 
PPT
M.E - Computer Science and Engineering-Data structure unit-2 heaps
bypoonkodiraja2806
 
UNIT 1-RELATIONAL DATA MODEL for data base subject
bypoonkodiraja2806
 
UNIT II in the part of Database at the PG
bypoonkodiraja2806
 
XML DATABASES in the Master of Engineering
bypoonkodiraja2806
 
Computer Network NFV Management and Orchestration.pdf
bypoonkodiraja2806
 
Principle of programming language -M.E-CSE
bypoonkodiraja2806
 
Virtual Local area Network and Virtual Private area Network
bypoonkodiraja2806
 
Computer Network unit-5 -SDN and NFV topics
bypoonkodiraja2806
 
M.E - Computer Science and Engineering-Data structure B tree
bypoonkodiraja2806
 
M.E - Computer Science and Engineering-Data structure-bst-and-threaded
bypoonkodiraja2806
 
M.E - Computer Science and Engineering-Data structure avl-tree
bypoonkodiraja2806
 
M.E - Computer Science and Engineering-Data structure unit-2 heaps
bypoonkodiraja2806
 

Recently uploaded

PPT
23 EL PGS Sec-I (Shared).ppt power generation systems
byMehran university of engineering technology Pakistan
 
PDF
How Are Learning-Based Methods Reshaping Trajectory Planning in Autonomous D...
byimagnejane
 
PDF
Project photos of Caliagua's new Telemark project for FivePoint.
byjhines4
 
PDF
【EN】Accelerating Flutter UI Development with 
Figma Dev Mode MCP × Claude Code
byYuta Asada
 
PPTX
UNIT - IV - Computer aided process planning - part 2.pptx
byrameshrajendhra
 
PDF
energies-14-0ggggggggggggggggg2725-v2.pdf
byCarlosPrezBuelga
 
PDF
(17-30)Geotechnical Research in India - Scenario up to 2025.pdf
byDharmsinh Desai of University
 
PDF
Introduction to Machine Learning: Foundations and Applications
byremoved_2838c0f85dcbdf1a3b55b256d9455357
 
PPTX
Semiconductor and diode theory and application.pptx
bygetnetzegeye
 
PPTX
Optimizing Wave Energy Capture: Utilizing Variable-Pitch Turbine Blades in We...
byArijit Biswas
 
PDF
(36-50)ANCIENT INGENUITY A REAPPRAISAL OF THE ARCHITECTURAL (3 files merged).pdf
byDharmsinh Desai of University
 
PPTX
Basic presentation - architecture pics.pptx
byMelsonJohnDalabajan
 
PPTX
E waste_management_module 4.pptx_22_scheme_VTU
byvarshinijs3
 
PPTX
aerated foam concrete types of concrete .pptx
bykumarrajsumn
 
PPTX
Hydrocarbon traps, migration and accumulation of petroleum
byAhmadnawaz144515
 
PPTX
Introduction to engineering dynamics for structural engineering student
bytekalign24
 
PDF
LOW POWER CLASS AB SI POWER AMPLIFIER FOR WIRELESS MEDICAL SENSOR NETWORK
byRandyClara
 
PDF
alireza payravi-resume english 1404-07-24.pdf
byAlireza Payravi
 
PPTX
COLLAGE PLACEMENT MANAGEMENT SYSTEM.pptx
bychaitanyachopade08
 
PPT
Basic electronics concepts like what is resistor , inductor capacitor
byibrahimshaikh112026
 
23 EL PGS Sec-I (Shared).ppt power generation systems
byMehran university of engineering technology Pakistan
 
How Are Learning-Based Methods Reshaping Trajectory Planning in Autonomous D...
byimagnejane
 
Project photos of Caliagua's new Telemark project for FivePoint.
byjhines4
 
【EN】Accelerating Flutter UI Development with 
Figma Dev Mode MCP × Claude Code
byYuta Asada
 
UNIT - IV - Computer aided process planning - part 2.pptx
byrameshrajendhra
 
energies-14-0ggggggggggggggggg2725-v2.pdf
byCarlosPrezBuelga
 
(17-30)Geotechnical Research in India - Scenario up to 2025.pdf
byDharmsinh Desai of University
 
Introduction to Machine Learning: Foundations and Applications
byremoved_2838c0f85dcbdf1a3b55b256d9455357
 
Semiconductor and diode theory and application.pptx
bygetnetzegeye
 
Optimizing Wave Energy Capture: Utilizing Variable-Pitch Turbine Blades in We...
byArijit Biswas
 
(36-50)ANCIENT INGENUITY A REAPPRAISAL OF THE ARCHITECTURAL (3 files merged).pdf
byDharmsinh Desai of University
 
Basic presentation - architecture pics.pptx
byMelsonJohnDalabajan
 
E waste_management_module 4.pptx_22_scheme_VTU
byvarshinijs3
 
aerated foam concrete types of concrete .pptx
bykumarrajsumn
 
Hydrocarbon traps, migration and accumulation of petroleum
byAhmadnawaz144515
 
Introduction to engineering dynamics for structural engineering student
bytekalign24
 
LOW POWER CLASS AB SI POWER AMPLIFIER FOR WIRELESS MEDICAL SENSOR NETWORK
byRandyClara
 
alireza payravi-resume english 1404-07-24.pdf
byAlireza Payravi
 
COLLAGE PLACEMENT MANAGEMENT SYSTEM.pptx
bychaitanyachopade08
 
Basic electronics concepts like what is resistor , inductor capacitor
byibrahimshaikh112026
 

unit 5 in the database for master of Engineering

  • 2.
    Discretionary Access ControlBased on Granting and Revoking Privileges • The typical method of enforcing discretionary access control in a database system is based on the granting and revoking of privileges. Let us consider privileges in the context of a relational DBMS.
  • 3.
    1. Types ofDiscretionary Privileges • The DBMS must provide selective access to each relation in the database based on specific accounts. Operations may also be controlled; thus, having an account does not necessarily entitle the account holder to all the functionality provided by the DBMS. Informally, there are two levels for assigning privileges to use the database system:
  • 4.
    • The accountlevel. At this level, the DBA specifies the particular privileges that each account holds independently of the relations in the database. • The relation (or table) level. At this level, the DBA can control the privilege to access each individual relation or view in the database. • References privilege on R. This gives the account the capability to reference (or refer to) a relation R when specifying integrity constraints. This privilege can also be restricted to specific attributes of R.
  • 5.
    Specifying Privileges throughthe Use of Views • The mechanism of views is an important discretionary authorization mechanism in its own right. For example, if the owner A of a relation R wants another account B to be able to retrieve only some fields of R, then A can create a view V of R that includes only those attributes and then grant SELECT on V to B
  • 6.
    Revoking of Privileges •n some cases it is desirable to grant a privilege to a user temporarily. For example, the owner of a relation may want to grant the SELECT privilege to a user for a specific task and then revoke that privilege once the task is completed. Hence, a mechanism for revoking privileges is needed
  • 7.
    Propagation of PrivilegesUsing the GRANT OPTION • Whenever the owner A of a relation R grants a privilege on R to another account B, the privilege can be given to B with or without the GRANT OPTION. If the GRANT OPTION is given, this means that B can also grant that privilege on R to other accounts.
  • 8.
    Mandatory Access Controland Role-Based Access Control for Multilevel Security • The discretionary access control technique of granting and revoking privileges on relations has traditionally been the main security mechanism for relational database systems. This is an all-or-nothing method: A user either has or does not have a certain privilege.
  • 9.
    • In manyapplications, an additional security policy is needed that classifies data and users based on security classes. This approach, known as mandatory access control (MAC), would typically be combined with the discretionary access control mechanisms
  • 10.
    Comparing Discretionary AccessControl and Mandatory Access Control • Discretionary access control (DAC) policies are characterized by a high degree of flexibility, which makes them suitable for a large variety of application domains. The main drawback of DAC models is their vulnerability to malicious attacks, such as Trojan horses embedded in application programs
  • 11.
    • The reasonis that discretionary authorization models do not impose any control on how information is propagated and used once it has been accessed by users authorized to do so.
  • 12.
    SQL Injection • SQLinjection is a code injection technique that might destroy your database. • SQL injection is one of the most common web hacking techniques. • SQL injection is the placement of malicious code in SQL statements, via web page input.
  • 13.
    • SQL inWeb Pages • SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.
  • 14.
    • SQL InjectionBased on 1=1 is Always True • Look at the example above again. The original purpose of the code was to create an SQL statement to select a user, with a given user id. • If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this: • UserId: • Then, the SQL statement will look like this: • SELECT * FROM Users WHERE UserId = 105 OR 1=1
  • 15.
    • SQL InjectionBased on ""="" is Always True • Here is an example of a user login on a web site: • Username: John Doe • Password: myPass • Example • uName = getRequestString("username"); uPass = getRequestString("userpassword"); sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"'
  • 16.
    SQL Injection Basedon Batched SQL Statements • Most databases support batched SQL statement. • A batch of SQL statements is a group of two or more SQL statements, separated by semicolons. • The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.
  • 17.
    • Example SELECT *FROM Users; DROP TABLE Suppliers • Look at the following example: Example txtUserId = getRequestString("UserId"); txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId; • And the following input: – User id: 105; DROP TABLE Suppliers – The valid SQL statement would look like this: Result SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;
  • 18.
    Statistical Database Security •Statistical databases typically contain parameter data and the measured data for these parameters. • There are different types of database security such as encryption, authentication, backup, application security and physical security which should implement in your business. • ...
  • 19.
    • Statistical databasesecurity techniques must prohibit the retrieval of individual data. This can be achieved by prohibiting queries that retrieve attribute values and by allowing only queries that involve statistical aggregate functions such as COUNT, SUM, MIN, MAX, AVERAGE, and STANDARD DEVIATION. Such queries are sometimes called statistical queries.
  • 20.
    Encryption and PublicKey Infrastructures • Encryption is the conversion of data into a form, called a ciphertext, which cannot be easily understood by unauthorized persons. It enhances security and privacy when access controls are bypassed, because in cases of data loss or theft, encrypted data cannot be easily understood by unauthorized persons.
  • 21.
    • With thisbackground, we adhere to following standard definitions: • · Ciphertext: Encrypted (enciphered) data. • · Plaintext (or cleartext): Intelligible data that has meaning and can be read or acted upon without the application of decryption. • Encryption: The process of transforming plaintext into ciphertext. • • · Decryption: The process of transforming ciphertext back into plaintext.
  • 22.
    • Encryption consistsof applying an encryption algorithm to data using some prespecified encryption key. The resulting data has to be decrypted using a decryption key to recover the original data.
  • 23.
    The Data Encryptionand Advanced Encryption Standards • The Data Encryption Standard (DES) is a system developed by the U.S. government for use by the general public. • The DES algorithm is a careful and complex combination of two of the fundamental building blocks of encryption: substitution and permutation (transposition).
  • 24.
    Survivability • Survivability ofa system is the capability of a system to fulfill its mission in a timely manner in the presence of attacks, failures, or accidents. • Considering the vast growth in volume and speed of threats to databases and information assets, research efforts need to be devoted to the following issues: data quality, intellectual property rights, and database survivability. These are only some of the main challenges that researchers in database security are trying to address.
  • 25.
    Database Survivability • Databasesystems need to operate and continue their functions, even with reduced capabilities, despite disruptive events such as information warfare attacks. A DBMS, in addition to making every effort to prevent an attack and detecting one in the event of occurrence, should be able to do the following:
  • 26.
    • onfinement. Takeimmediate action to eliminate the attacker’s access to the system and to isolate or contain the problem to prevent further spread. • Damage assessment. Determine the extent of the problem, including failed functions and corrupted data. • Reconfiguration. Reconfigure to allow operation to continue in a degraded mode while recovery proceeds. • Repair. Recover corrupted or lost data and repair or reinstall failed system functions to reestablish a normal level of operation. • Fault treatment. To the extent possible, identify the weaknesses exploited in the attack and take steps to prevent a recurrence. •
  • 27.
    • Oracle LabelSecurity controls the display of individual table rows using labels that are assigned to individual table rows and application users. • Oracle Label Security is based on multi-level security (MLS) requirements that are found in government and defense organizations. You can easily restrict sensitive information to only authorized users. Oracle Label Security is based on Oracle Virtual Private Database (VPD). However, unlike VPD, Oracle Label Security provides the access mediation functions, data dictionary tables, and policy based architecture out of the box, eliminating customized coding and providing a consistent label based access control model that can be used by multiple applications. Oracle Label Security policies can be applied to one or more application tables. Oracle Label Security works by comparing the row label with a user's label authorizations. Oracle Label Security software is installed by default, but not automatically enabled.
  • 28.
    Benefits of OracleLabel Security • Oracle Label Security provides several benefits for controlling row level management. • It enables row level data classification and provides out of the box access mediation based on the data classification and the user label authorization or security clearance. • It enables you to assign label authorizations or security clearances to both database users and application users. • It provides both a graphical user interface and APIs for defining and storing data classification labels and user label authorizations. • It integrates with Oracle Database Vault and Oracle Advanced Security Data Redaction, enabling security clearances to be use in both Database Vault command rules and Data Redaction policy definitions.
  • 29.
    Components of OracleLabel Security • An Oracle Label Security policy has a standard set of components. • These components are as follows: • Labels. Labels for data and users, along with authorizations for users and program units, govern access to specified protected objects. Labels are composed of the following: • Levels. Levels indicate the type of sensitivity that you want to assign to the row, for example, SENSITIVE or HIGHLY SENSITIVE. • Compartments. (Optional) Data can have the same level (Public, Confidential and Secret), but can belong to different projects inside a company, for example ACME Merger and IT Security. Compartments represent the projects in this example, that help define more precise access controls. They are most often used in government environments. • Groups. (Optional) Groups identify organizations owning or accessing the data, for example, UK, US, Asia, Europe. Groups are used both in commercial and government environments, and frequently used in place of compartments due to their flexibility. • Policy. A policy is a name associated with these labels, rules, authorizations, and protected tables.